Service operations for Windows resources

The following service operations are performed at Windows resources on behalf of the domain or local service account:

• Checking of connection to resources
• Synchronization of local accounts
• Checking of local account passwords
• Changing of local account passwords
• Getting data about operating system
• Getting list of security groups

Configuring a domain account as service one

1. Log in to resource
2. Run the Computer management snap-in
3. Switch to System tools - Local Users and Groups - Groups section
4. Open the context menu of Administrators group
5. Select Properties item
6. Click Add
7. Select the domain account to be used as service one for the resource and click OK

Configuring a local account as service one

If you plan to use local built-in administrator account as service account, then no additional configuration is required. Otherwise, proceed as follows:

1. Log in to resource
2. Run the Computer management snap-in
3. Switch to System tools - Local Users and Groups - Groups section
4. Open the context menu of Administrators group
5. Select Properties item
6. Click Add
7. Select the local account to be used as service one for the resource and click Ок
8. Run Windows registry editor (RegEdit)
9. Expand the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ branch
10. Open the context menu of System section
11. Select Create - DWORD (32-bit) Value
12. Specify the parameter name - LocalAccountTokenFilterPolicy
13. Open the context menu of LocalAccountTokenFilterPolicy parameter
14. Select Modify item and set the Value data:  equal to 1

Registry editing is required due to restrictions on remote WinRM management for all local accounts except for built-in administrator account.

Configuring Indeed PAM Core to perform service operations on behalf of local resource accounts

Service operations are performed using WinRM. To use local resource accounts as service one, you need to add the resource to the TrustedHosts list of trusted ones on Indeed PAM Core server.

Configuring the TrustedHosts list

1. Log in to the server on which Indeed PAM Core will be installed
   
2. Run Command line (CMD) as Administrator
3. Execute the following command:

C:\>winrm s winrm/config/client @{TrustedHosts="Resource1.domain.local, Resource2.domain.local"}

The specified resources shall be added to the TrustedHosts list.

@{TrustedHosts="Resource1.demo.local, Resource2.demo.local, Resource3.demo.local, NewResource.demo.local"}

Service operations for *nix resources

The following service operations are performed at *nix resources on behalf of the local service account:

• Checking of connection to resource
• Searching for local accounts
• Checking of local account passwords
• Changing of local account passwords
• Getting data about operating system
• Getting list of security groups

Creating and configuring a service account

1. Log in to resource.
2. Run Terminal.

3. Create a user, for example IPAMService:

   Code Block
   language bash
   adduser IPAMService

   
   

4. Add the user to SUDO group
   

   Code Block
   language bash
   usermod -aG sudo IPAMService

   
   

Configuring a group of privileged accounts

Automatic searching and adding of Access accounts to Indeed PAM is performed based on their permission to execute a SUDO command. To grant the permission to execute SUDO command, you need to edit the /etc/sudoers file.

Indeed PAM does not use any third-party cloud services in its work. All software updates are made by an authorized person (system administrator) manually, without access to the Internet.

Indeed PAM software has the ability to authenticate users using two-factor authentication. To implement this function, you must use third-party software, for example, Google Authenticator. This function is active by default and can be disabled by an authorized person in systems that have restrictions on the use of this mechanism.